d4e92c19ffd7a3dc20d1ee85618be443d38febc9942010ef498b1c54063884c2

General

Target

a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
Size

53KB
MD5

a0dd04f054c6ca6b93518a5e6e15d100
SHA1

acfff31fc262b5663de29e3549699c400095a60b
SHA256

d4e92c19ffd7a3dc20d1ee85618be443d38febc9942010ef498b1c54063884c2
SHA512

3db2b87029373bcc0f358da1624a200b486ee362e2abfe1bdfb2682c091ec0ff9e051fcc27c296437114f559f84ac8f978bf6f84a1421f7c0cd65179b6048f5a
SSDEEP

1536:vN1g8r8Q2cMdLjYvIQ7Kp3StjEMjmLM3ztDJWZsXy4JzxPMEXppppppppppppp:6c6LjYvIQJJjmLM3zRJWZsXy4JN

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

yaiexa.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yaiexa.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

yaiexa.exe

pid process

3436 yaiexa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

yaiexa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yaiexa = "C:\\Users\\Admin\\yaiexa.exe"	yaiexa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

yaiexa.exe

pid	process
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe
3436	yaiexa.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exeyaiexa.exe

pid process

4524 a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
3436 yaiexa.exe

pid	process
4524	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
3436	yaiexa.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exeyaiexa.exe

description	pid	process	target process
PID 4524 wrote to memory of 3436	4524	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe	yaiexa.exe
PID 4524 wrote to memory of 3436	4524	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe	yaiexa.exe
PID 4524 wrote to memory of 3436	4524	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe	yaiexa.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
PID 3436 wrote to memory of 4524	3436	yaiexa.exe	a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a0dd04f054c6ca6b93518a5e6e15d100_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524

C:\Users\Admin\yaiexa.exe
"C:\Users\Admin\yaiexa.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\yaiexa.exe

Filesize
53KB

MD5
435e5ee86d24d2b36a2ef10d9cd5d685

SHA1
8006022c1e959caf331bd2772f26b6b84cc0b874

SHA256
f3933a8c271798f39097d245a94b9faaa0658cc5f1b8c50fc00e4da368a51e04

SHA512
2ec70e212bedfc62f25e5fc90e33ca8244077f6f7d592898a84aa6191aee7f2e5d1bf946173cb5d34f19aee47de659905d98d5cdf429a8815dde8e120d3d18b4

Download Submit
memory/3436-34-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4524-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads